Innovations for an eid Architecture in Germany

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Innovations for an eid Architecture in Germany"

Transcription

1 Innovations for an eid Architecture in Germany

2 The BSI Contents Contents 1. The new identity card secure, standardized proof of identity in the digital world 4 2. User-oriented requirements for the identification function of the new identity card 6 3. Application software for users AusweisApp 8 4. Security mechanisms for the identification function of the new ID card 9 The German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik - BSI) is Germany s central IT security service provider: a neutral, independent authority for issues relating to IT security in the information society. The BSI provides information on risks and threats relating to the use of information and communication technology, develops security guidelines, advises manufacturers, distributors and users. The BSI primarily advises public administrations on the national, state and local levels, but also seeks to exchange information with businesses and private users. 4.1 Password Authenticated Connection Establishment (PACE) Extended Access Control (EAC), readers and EAC box Passive Authentication (PA) Public Key Infrastructures (PKI) for electronic identity documents Country Signing Certificate Authority (CSCA) Country Verifying Certificate Authority () The eid server interface for web applications Revocation management in the new German identity card References 23 Imprint

3 Identification function Identification function 1. The new identity card secure, standardized proof of identity in the digital world Starting November 1 st, 2010, the new identity card will be introduced in Germany as an electronic, multi-functional card in credit-card format, valid as a travel document and as proof of identity both personally and in the electronic world. This identity card implements an innovative concept based on a contactless interface that is already in use for electronic passports world-wide. The new identity card not only represents a modern sovereign document that will significantly improve the identification of persons e.g. when crossing borders. The ID card will also be equipped with additional electronic functions, in par ticular electronic ID (eid) and the optional Qualified Electronic signature (QES), which offer users significant advantages. These functionalities enable individuals to positively identify themselves online and issue legally binding electronic declarations of will. They are thus a key instrument for enabling legally valid contacts to be con cluded over the Internet, and are intended to promote streamlined egovernment and ebusiness services. The introduction of the identification function of the new identity card entailed preparing, developing and deploying a sophisticated IT infrastructure and embedding it in a complex overall system with more than 60 million participating individuals. This required firstly that the associated organizational, legal and technical prerequisites be created. The German ID Card Act [PAuswG 2010] sets out the general legal framework for identity documentation and electronic proof of identity; the corresponding regulation [PAuswV 2010] defines in particular the requirements for security and data protection of the eid infrastructure. These are augmented by close to 20 Technical Guidelines and protection profiles promulgated by the Federal Office for Information Security (BSI), which are published in binding form in the German Federal Gazette. Some of these requirements are explained as examples in this brochure. The infrastructure of the new identity card is intended to realize a trustworthy and efficient identity management. The combination of a sovereign identity document with eid functionality for ebusiness and egovernment will also provide users with a secure identity in the electronic world and afford them better protection against many types of cybercrime, such as phishing and identity theft. Particular priority was placed on data protection, data security and preserving information self-determination. All disclosures and transmissions are reliably protected using internationally recognized and established encryption processes. As part of the eid function, user data are exchanged only between the provider of the service and the holder of the identity document. Biometrically relevant data, i.e. photo, where applicable fingerprints, eye color, height and personal signature, are never transmitted to service providers or via the Internet. Only sovereign authorities possess the authorization and the technical means to query such sensitive information. 4 5

4 Data protection Data protection 2. User-oriented requirements for the identification function of the new identity card As a protective function for the personal data stored on the ID card chip, legal requirements stipulate that all institutions that want to access some or all of this data must possess an appropriate authorization. Before such an authorization is issued, government authorities review which data the service provider (e.g. an online retailer, or also public offices) absolutely requires for his pur poses, and whether he is trustworthy. The authorization is always issued for only a limited period and can be re voked. technically, the authorization is implemented using authorization certificates whose status is queried at terminal authorization. determine whether the pseudonyms registered there belong to one and the same person. In the event that the new identity card is lost, the eidfunctionality can be revoked using a personal password (revocation management, see chapter 6). If the personal identification number is entered incorrectly three times, its reactivation requires a PIN un blocking key (PUK). If desired, the card s eid functionality can be disabled by the issuing authority. A QES function can also be activated on the new identity card. Using this signature, it is possible to fulfill requirements for the written form under contract law by electronic means. The electronic certificates required for this process can be purchased from commercial providers. Before the new ID card releases data to a service provider with an authorization certificate, the service provider must display his certificate, and thus also the data he is allowed to read. The holder of the identity card always has the option of restricting the read authorization to less data. The ID card holder must then enter a six-digit personal identi fication number (PIN). If the electronic verification of the authorization certificate is positive, the data are released. All data are transmitted in encrypted form. The read authorization can be restricted so that for example, only age-related information can be queried. There is also a pseudonym function that enables users to log onto and be recognized by a service provider such as an Internet forum without revealing any personal data to the service provider. This function is card- and service-specific: in other words, service providers who compare their databases cannot 6 7

5 Interfaces Security 3. Application software for users AusweisApp In order to use their new identity card on line, users require a software that serves as the interface between the ID, the card reader and the service provider s eid server. This software, called AusweisApp ( Ausweis is the German word for ID document ), will be available free of charge on a web portal of the German Federal Ministry of the Interior ( for the operating systems Windows, Linux and Mac OS. In addition to utilizing the identification function of the new ID cards, AusweisApp also enables qualified electronic signature with multiple signature cards, both conventional contact type cards and contactless devices like the new ID card. Functions of the German health card are also supported. 4. Security mechanisms for the identification function of the new ID card The security mechanisms and resulting IT infrastructures for the new ID card ensure protection of personal data, proof of the authenticity of the identity document and proof against forgery. Special attention has been given to solutions for securing the contactless interface between the ID card and the terminal which, among other things, must meet the requirements for qualified electronic signatures. The following protocols and other measures for achieving the aforementioned security objectives were developed under the active leadership and participation of the BSI. AusweisApp is an implementation of the Technical Guideline ecard-api Framework [TR-03112], which defines easy-touse, uniform interfaces for communication between card readers, cards and applications (web-based and local). Abbreviation PACE Full name Password Authen ticated Connection Establishment Purpose Access control, protects the RF chip from being read at a distance. EAC Extended Access Control Extended access control, comprising two subprotocols. CA: Chip Authentication Establishment of a secure link and detection of cloned RF chips. TA: Authentication Authentication of terminal device for reading sensitive data from RF chip. PA Passive Authentication Validation of authenticity and integrity of the data on the RF chip. RI Restricted Identification Generation of chip- and providerspecific pseudonyms. 8 9

6 Security Security PKI Public Key Infrastructure CSCA: Country Signing Certificate Authority : Country Verifying Certificate Authority Hierarchy of digital certificates. Hierarchy of digital certificates for signing data in electronic identity documents. Hierarchy of digital certificates for read authorization of electronic identity documents. 4.1 Password Authenticated Connection Establishment (PACE) Password Authenticated Connection Establishment (PACE) ensures that the contactless RF chip in the new identity card cannot be read without explicit access, and that data are exchanged with the terminal device in encrypted form [Bender 2008]. The password that can be used for PACE depends on the authorization certificate of the reader (terminal) device used. Usually, this is the six-digit personal identification number (PIN), which is known only to the holder of the identity card. For reader devices with authorization certificates for sovereign use, e.g. border control, either a Machine readable Zone (MRZ) printed on the back of the new identity card or the six-digit card access number (CAN) printed on the front is sufficient. 4.2 Extended Access Control (EAC), readers and EAC box Extended Access Control (EAC) comprises an array of protocols that are always executed in a specific order, depending on which electronic identity document is to be read [TR-03110]. The EAC protocols include Chip Authentication (CA) and terminal Authentication (TA). The two protocols are executed together with Password Authenticated Connection Establishment (PACE) and Passive Authentication (PA). The purpose of Chip Authentication is to confirm that the chip is a real chip (and not a forgery or a clone) and to establish a secure connection between the chip and the reader, or between the chip and the service provider in the case of online authentication. Chip Authentication is based on Diffie-Hellman key exchange, in which the reader or terminal device uses an ephemeral key pair and the chip a static pair. The chip s public key is signed during the process of generating it (Passive Authentication see section 4.3). The use of the signed key verifies the authenticity of the chip; at the same time, a strongly-encrypted and authenticated end-to-end channel is established between the chip and in the case of online authentication the service provider. The advantage of PACE is that the length of the password has no effect on the security level of the encryption. In other words, even when the CAN or PIN are used, which are short compared to the MRZ, the data on the RF chip of the electronic identity card are strongly protected during transmission. All data on the new identity card are treated as confidential and must be protected against being read by unauthorized persons. The Authentication (TA) protocol was developed for this purpose. Sensitive data can only be read when this protocol has been successfully executed on the reader. The RF chip in the identity document is designed so that it enables reading of specific data only when the reader 10 11

7 Security Security device (terminal) can demonstrate an explicit read authorization for these specific data (e.g. only date of birth). The Country Verifying Certificate Authority certificate ( certificate) is stored on the RF chip to verify this authorization. This certificate forms the root of the Country Verifier Public Key Infrastructure (CV-PKI), a hierarchy of authorization certificates for reading sensitive data from identity documents. In Authentication, the reader (terminal) transmits its read authorization to the RF chip in the form of a terminal certificate. It also transmits the certificate and all certificates in the hierarchy between these two certificates. This enables the RF chip to verify the authenticity and integrity of the terminal s certificate. A positive result requires that each of the subsequent certificates in the hierarchy is signed with the private key of its predecessor, starting with the certificate. The RF chip knows that this certificate is trustworthy because it was stored on the RF chip when it was manufactured. Once the authenticity and integrity of the terminal certificate transmitted by the reader has been established, the RF chip must verify that this certificate was really issued for this device. To this end, the RF chip transmits a random number to the reader, which signs it with a private key belonging to the terminal certificate. The reader device then transmits the signed random number back to the RF chip. Using the terminal device s public key, which is contained in the terminal certificate, the RF chip can verify the signature of the random number and determine whether the possesses has the private key that matches the certificate. EAC box Key component for ID card amendment Registration office PC Authorization PKI <SOAP> Flow control Crypto protocols Stored certificates and keys EAC box core Specification: BSI Technical Guideline TR EAC-Box Architecture and Interfaces Protection profile: CC Protection Profile for Inspection Systems Each reader that wants to access the data of the electronic identity card requires corresponding authorization certificates, each with their own private and public keys, which must be renewed regularly via a PKI. The EAC box provides these functions in an encapsulated form in an evaluated and certified environment and communicates with external components and services via standardized interfaces [TR-03131]. Once the electronic identity card has been introduced, the EAC box will be used as a reader device for changing address data on the eid at municipal registration offices. Further uses in addition to this scenario are conceivable (e.g. border control). Secure channel Card reader Display PIN pad 12 13

8 Security Infrastructures 4.3 Passive Authentication (PA) The purpose of Passive Authentication (PA) is to validate the authenticity and integrity of the data on the RF chip of the identity document. In the course of manufacturing the electronic identity document, the data stored on the RF chip are digitally signed. This process uses something called a document signing certificate, which in turn is signed with the Country Signing Certificate Authority certificate (CSCA certificate) of the issuing nation and is available only to the officially authorized ID manufacturer. This certificate forms the bedrock of the Country Signing Certificate Authority Public Key Infrastructure (CSCA-PKI), a hierarchy of certificates that verify the integrity of data on identity documents. When an identity document is read, Passive Authentication verifies the signature of the data stored on the RF chip and traces it back to the CSCA certificate. This enables it to determine whether the data in the identity document were written on the RF chip by the officially authorized ID manufacturer and that their integrity is not compromised. 4.4 Public Key Infrastructures (PKI) for electronic identity documents The new identity card requires two Public Key Infrastructures (PKI): one PKI for verifying the authenticity of electronic identity documents (Passive Authentication), the Country Signing Certificate Authority (CSCA); and one PKI to protect the fingerprints on electronic identity documents ( Authentication), the Country Verifying Certificate Authority (). Technical Guideline TR describes the basic functionalities and requirements of these infrastructures Country Signing Certificate Authority (CSCA) The Country Signing Certificate Authority (CSCA) is operated by the BSI. This authority generates the German root certificates (CSCA certificates) on a regular basis, which in turn serve as the source for the private keys of the document signing certificates of the passport or ID card manufacturer. The passport or ID card manufacturer uses the private keys of the document signing certificates to sign files on the electronic identity document that represent the document s data. The document signing certificate is also electronically stored on the identity document. Using the root certificate, it is possible to verify whether an electronic identity document was really created on behalf of the issuing nation, and whether the data have been changed in any way since production. This is realized using Passive Authentication. To enable the authenticity and integrity of German electronic identity documents to be verified at border control points in other countries, and passports of other countries to be tested 14 15

9 Infrastructures Infrastructures at the German border for their authenticity and integrity, the various nations must exchange their root certificates in a secure manner. This is achieved either via diplomatic pouches or via the ICAO Public Key Directory (ICAO-PKD). Public Key Infrastructure in international context Country A Country B Country Verifying Certificate Authority () The BSI also operates the Country Verifying Certificate Authority (). This authority generates the German root certificates on a regular basis; the private keys of these certificates are used to sign the document verifier certificate of the document verifier instances (DV instances). DV DV DV DV The DV instances are responsible for issuing the certificates authorizing the reading of electronic identity documents, and also define the individual read rights, i.e. what information can be read from the identity documents. This authorization is verified by the RF chip of the electronic identity document on reading during Authentication. Public Key Infrastructure for citizen applications of the new identity card DV(s) Inspection authorities BSI VfB BerCa(s) Service providers eid DV eid Identity card authority esign DV QES Verified signature terminal Authorization certificates are issued solely to control authorities (e.g. Federal Police) and registry offices (to enable citizens to check the correctness of data). These certificates are also required to read fingerprints. The diagram Public Key Infrastructure for citizen applications of the new identity card illustrates the spectrum of variants of national authorization certificates for the new identity card. In addition to applications for sovereign purposes, and for electronic identification, the also supports the qualified electronic signature. The new identity card also requires that authorization certificates be issued for the control authorities of other nations that are empowered to access the sovereign functions of the new identity card. This authorization is issued separately for each nation. - Country Verifying Certificate Authority DV - Document Verifier VfB - Issuing Unit for certificates BerCA - Certification Authority for eid service providers QES - Qualified Electronic Signature 16 17

10 Security features eid Server To sum up, the array of cryptographic protocols described above offer protection against a range of attacks: PACE has the advantage that the length of the password has no effect on the security level of encryption. This means that even when the CAN or PIN are used, which are short compared to the MRZ, the data on the RF chip of the electronic identity card are strongly protected during transmission. PACE protects cards against being accessed in passing and creates an encrypted, integrity-secure channel between the card and the reader. PACE also enables entry/verification of a PIN, thus tying authentication to the person and providing protection against unauthorized use of the new identity card. Authentication ensures that the reader/ service provider can perform only authorized access operations. The read rights for the various data fields are granted separately. 5. The eid server interface for web applications To simplify the use of the electronic identification function in web applications, an eid server is required. The eid server provides a simple interface for web applications, encapsulating the complexity of the electronic identification function. The guideline TR specifies the interface used by web applications and the corresponding data formats for exchanging information. The eid server as a hardware and software component establishes communication with AusweisApp and handles the communication for requesting terminal authorization certificates (DVCA certificates), revocation lists and CSCA certificates. The eid server is realized as a logically independent server, so that it can be used by multiple web applications (principals); it can also e.g. be operated remotely by a third party. To preserve the confidentiality and integrity of the processed data, the data must be encrypted and signed for transfer between Chip Authentication creates a secure end-to-end channel between the chip and the service provider. Together with Passive Authentication, Chip Authentication also verifies the authenticity of the chip. The integrity and authenticity of the read data are implicitly ensured through authentication of the chip. eid server The steps of the electronic identification process Citizen Browser ➂ AusweisApp ➀ ➁ ➃ CA - Certification Authority PKD - Public Key Directory Service provider Webserver eid server CA, PKD, revocation lists ➀ Citizen selects authentication using electronic ID on service provider s website. ➁ The webserver of the service provider transmits the parameters necessary for establishing the connection. ➂ The browser starts the local AusweisApp application. ➃ AusweisApp establishes a secure channel to the eid server of the service provider and authentication commences

11 Revocation management Revocation management the eid server and application server when transmitted via a public network. 6. Revocation management in the new German identity card To prevent abuse of stolen or lost identity cards, the card holder must be able to block or cancel them via revocation management [Bender 2010]. Currently, chip cards, e.g. cards for the qualified electronic signature, are cancelled by means of a chip-specific public key that can be compared with a revocation list in other words, a global, chip-specific feature. However, a chipspecific feature is always person-related, as it uniquely identifies the chip and consequently the card holder. Such a mechanism would thus undermine the data protection-friendly design of the eid function, in which only those data from the chip are transmitted that are necessary for the service. For example, an online service that only requires proof of age for age-restricted services must not be able to use a unique revocation attribute to cross-reference these data with a service that receives name, address and similar data from the identify document (this is particularly important for the pseudonym). One solution to this conflict is to use service-specific revocation lists, i.e. every identity card transmits a service- and card-specific revocation attribute to the service provider during the electronic identification process, which the provider then checks against his individual, i.e. service-specific revocation list. For each service that uses the eid function of the new identity card, a service-specific revocation list is generated from a global revocation list. A service- and card-specific attribute sent to the service provider from the chip of the identity card during the eid function can then be compared with a specific revocation list in order to identify cancelled IDs. The use of service- and card-specific revocation attributes ensures that service providers cannot exploit these to recognize identity documents across services. This applies analogously for the revocation service: this central authority is unable to derive the service- and card-specific revocation attributes from the revocation key without the assistance of the service providers and the authorization CAs it is not possible to trace identity cards via the revocation mechanism. The use of revocation passwords and checksums also promotes data protection. Revocation management Overview Police Loss reported Revocation initiated Loss reported Lost and stolen list Revocation initiated Citizen ID card authority Revocation initiated with revocation password Revocation password in PIN letter ID manufacturer Revocation password for entry in register of IDs Revocation initiated with revocation checksum General revocation list Service provicer-specific revocation list eid revocation service Berechtigungs-CA Berechtigungs-CA Authorization CA Dienstanbieter Dienstanbieter Service provider Hotline 20 21

12 Revocation management References A revocation key is required for generating service-specific revocation lists. To ensure that the process complies with the security requirements described above, this key has a length of 256 bits something the identity card holder will certainly be unable to memorize. Cancellation of lost identity cards must be possible at any time: seven days a week, 24 hours a day, and especially while travelling as well. One solution would be to store the personal data of the card holder required for identification in the revocation service, together with the revocation key, which would in practice be equivalent to a nation-wide registry of persons. The methods used in the identity card take a different approach: only the hash value (revocation checksum) corresponding to the last and first names, date of birth and cancellation password are stored with the revocation key. This implementation permits effective cancellation of identity cards without requiring a central registry holding personal data. 7. References [PAuswG 2010] German ID Card Act (Gesetz über Personalausweise und den elektronischen Identitätsnachweis Personalausweisgesetz PAuswG), 17 August 2010, German Federal Law Gazette (Bundesanzeiger) I, p [PAuswV 2010] German ID Card Regulation (Verordnung über Personalausweise und den elektronischen Identitätsnachweis PAuswV), 2010, German Federal Law Gazette (Bundesanzeiger) I [Bender 2008] Jens Bender, Dennis Kügler, Marian Margraf, Ingo Naumann, Sicherheitsmechanismen für kontaktlose Chips im deutschen elektronischen Personalausweis, DuD Datenschutz und Datensicherheit , p [Bender 2010] Jens Bender, Dennis Kügler, Marian Margraf, Ingo Naumann, Das Sperrmanagement im neuen deutschen Personalausweis, DuD Datenschutz und Datensicherheit , p [TR-03110] BSI Technical Guideline, Advanced Security Mechanisms for Machine Readable Travel Documents (BSI TR-03110) [TR-03112] BSI Technical Guideline, ecard-api-framework (BSI TR-03112) [TR-03128] BSI Technical Guideline, EAC-PKI n für den elektronischen Personalausweis, Rahmenkonzept für den Aufbau und den Betrieb von Document Verifiern (BSI TR-03128) [TR-03130] BSI Technical Guideline, eid-server (BSI TR-03130) [TR-03131] BSI Technical Guideline, EAC-Box Architecture and Interfaces (BSI TR-03131) 22 23

13 Published by Federal Office for Information Security (BSI) Godesberger Allee Bonn, Germany Version September 2010 Editorial TeleTrusT Deutschland e.v., Berlin, Germany Design / Production Kesberg Consulting, Bonn, Germany Printing Buersche Druckerei Neufang KG, Gelsenkirchen, Germany Photos German Federal Ministry of the Interior (cover pictures), German Federal Office for Information Security (graphics)

The New German ID Card

The New German ID Card The New German ID Card Marian Margraf Federal Ministry of the Interior marian.margraf@bmi.bund.de Abstract Besides their use in identity verification at police and border controls, national ID cards are

More information

Sicherheitsaspekte des neuen deutschen Personalausweises

Sicherheitsaspekte des neuen deutschen Personalausweises Sicherheitsaspekte des neuen deutschen Personalausweises Dennis Kügler Bundesamt für Sicherheit in der Informationstechnik egov Fokus 2/2013: Identity- und Access Management im E-Government Rethinking

More information

Identification Card Digital Identity Security and Services Siniša Macan, DG of Agency

Identification Card Digital Identity Security and Services Siniša Macan, DG of Agency Agency for Identification Documents, Registers and Data Exchange of Bosnia and Herzegovina Identification Card Digital Identity Security and Services Siniša Macan, DG of Agency sinisa.macan@iddeea.gov.ba

More information

Preventing fraud in epassports and eids

Preventing fraud in epassports and eids Preventing fraud in epassports and eids Security protocols for today and tomorrow by Markus Mösenbacher, NXP Machine-readable passports have been a reality since the 1980s, but it wasn't until after 2001,

More information

Integration of the New German ID- Card (npa) in Enterprise Environments

Integration of the New German ID- Card (npa) in Enterprise Environments Integration of the New German ID- Card (npa) in Enterprise Environments Technics Prospects Costs - Threats Troopers 2011 By Friedwart Kuhn & Michael Thumann Agenda Introduction The New German ID-Card (npa)

More information

FAQs Electronic residence permit

FAQs Electronic residence permit FAQs Electronic residence permit General 1) When was the electronic residence permit introduced? Since 1 September 2011, foreigners in Germany have been issued with the new electronic residence permit

More information

Electronic machine-readable travel documents (emrtds) The importance of digital certificates

Electronic machine-readable travel documents (emrtds) The importance of digital certificates Electronic machine-readable travel documents (emrtds) The importance of digital certificates Superior security Electronic machine-readable travel documents (emrtds) are well-known for their good security.

More information

eidas as blueprint for future eid projects cryptovision mindshare 2015 HJP Consulting Holger Funke

eidas as blueprint for future eid projects cryptovision mindshare 2015 HJP Consulting Holger Funke eidas as blueprint for future eid projects cryptovision mindshare 2015 HJP Consulting Holger Funke Agenda eidas Regulation TR-03110 V2.20 German ID card POSeIDAS Summary cryptovision mindshare 2015: eidas

More information

FAQs - New German ID Card. General

FAQs - New German ID Card. General FAQs - New German ID Card General 1) How to change from the old ID card to the new one? The new Law on Identification Cards came into effect on 1 November 2010. Since then, citizens can apply for the new

More information

Biometrics for Public Sector Applications

Biometrics for Public Sector Applications Technical Guideline TR-03121-2 Biometrics for Public Sector Applications Part 2: Software Architecture and Application Profiles Version 2.3 Bundesamt für Sicherheit in der Informationstechnik Postfach

More information

An innovative system gains acceptance

An innovative system gains acceptance The new German ID card An innovative system gains acceptance Author: Dipl. Ing. Thomas Löer Senior Vice President Marketing & Support Bundesdruckerei GmbH Oranienstrasse 91D-10969 Berlin German citizens

More information

The ID card with eid function at a glance

The ID card with eid function at a glance The ID card with eid function at a glance New possibilities, more security Since 1 November 2010, Germany has been issuing the new ID card in smart card format and with a chip. With this chip, the ID card

More information

Keywords: German electronic ID card, e-government and e-business applications, identity management

Keywords: German electronic ID card, e-government and e-business applications, identity management From Student Smartcard Applications to the German Electronic Identity Card Lucie Langer, Axel Schmidt, Alex Wiesmaier Technische Universität Darmstadt, Department of Computer Science, Darmstadt, Germany

More information

Facts about the new identity card

Facts about the new identity card Facts about the new identity card Contents The new identity card At a glance... 4 In detail... 6 Photographs... 8 New ID card, new possibilities...10 Special functions... 11 The online function...12 Reader

More information

Technical Guideline TR-03107-1 Electronic Identities and Trust Services in E-Government

Technical Guideline TR-03107-1 Electronic Identities and Trust Services in E-Government Technical Guideline TR-03107-1 Electronic Identities and Trust Services in E-Government Part 1: Assurance levels and mechanisms Version 1.0 This translation is informative only. The normative version is

More information

Implementation of biometrics, issues to be solved

Implementation of biometrics, issues to be solved ICAO 9th Symposium and Exhibition on MRTDs, Biometrics and Border Security, 22-24 October 2013 Implementation of biometrics, issues to be solved Eugenijus Liubenka, Chairman of the Frontiers / False Documents

More information

eidas Token Jens Bender ETSI Security Workshop Federal Office for Information Security

eidas Token Jens Bender ETSI Security Workshop Federal Office for Information Security eidas Token Jens Bender Federal Office for Information Security ETSI Security Workshop 16.01.2014 COM 238 eidas Regulation In 2012 the EU Commission published a proposal for a regulation for Electronic

More information

White Paper PalmSecure truedentity

White Paper PalmSecure truedentity White Paper PalmSecure truedentity Fujitsu PalmSecure truedentity is used for mutual service and user authentication. The user's identity always remains in the possession of the user. A truedentity server

More information

Technical Guideline eid-server. Part 2: Security Framework

Technical Guideline eid-server. Part 2: Security Framework Technical Guideline eid-server Part 2: Security Framework BSI TR-03130-2 Version 2.0.1 January 15, 2014 Federal Office for Information Security Post Box 20 03 63 D-53133 Bonn Phone: +49 22899 9582-0 E-Mail:

More information

COMMON CERTIFICATE POLICY FOR THE EXTENDED ACCESS CONTROL INFRASTRUCTURE FOR PASSPORTS AND TRAVEL DOCUMENTS ISSUED BY EU MEMBER STATES

COMMON CERTIFICATE POLICY FOR THE EXTENDED ACCESS CONTROL INFRASTRUCTURE FOR PASSPORTS AND TRAVEL DOCUMENTS ISSUED BY EU MEMBER STATES COMMON CERTIFICATE POLICY FOR THE EXTENDED ACCESS CONTROL INFRASTRUCTURE FOR PASSPORTS AND TRAVEL DOCUMENTS ISSUED BY EU MEMBER STATES BSI TR-03139 Version 2.1 27 May 2013 Foreword The present document

More information

Ronny Wichers Schreur / Bart Jacobs Biometric Passport

Ronny Wichers Schreur / Bart Jacobs Biometric Passport FACULTY OF SCIENCE Ronny Wichers Schreur / Bart Jacobs Wichers Schreur / Jacobs (IPA Fall days 2005-11-22) p.1/34 Contents Wichers Schreur / Jacobs (IPA Fall days 2005-11-22) p.1/34 Contents I. Background

More information

Description of the Technical Component:

Description of the Technical Component: Confirmation concerning Products for Qualified Electronic Signatures according to 15 Sec. 7 S. 1, 17 Sec. 4 German Electronic Signature Act 1 and 11 Sec. 2 and 15 German Electronic Signature Ordinance

More information

eid Service

eid Service eid Service Pocket guide 2011 www.bundesdruckerei.de Contents 05 Section 1 Identity management in the 21 st century 11 Section 2 the new german id card facts and features 17 Section 3 the technology in

More information

All you need to know about the electronic residence permit (eat)

All you need to know about the electronic residence permit (eat) All you need to know about the electronic residence permit (eat) www.bamf.de/eaufenthaltstitel Contents Contents 1 The electronic residence permit 5 2 Photo and fingerprints 7 3 Additional provisions

More information

Security analysis of OpenID, followed by a reference implementation of an npa-based OpenID provider

Security analysis of OpenID, followed by a reference implementation of an npa-based OpenID provider Security analysis of OpenID, followed by a reference implementation of an npa-based OpenID provider Sebastian Feld Norbert Pohlmann Institute for Internet-Security Gelsenkirchen University of Applied Sciences

More information

Secure document verification

Secure document verification Secure document verification Reliable document verification for efficient control procedures Author: Andreas Rach Product Manager, Verification Solutions Bundesdruckerei GmbH Oranienstrasse 91 10969 Berlin,

More information

Strong Authentication based on the German ID Card

Strong Authentication based on the German ID Card Strong Authentication based Protocols and Use Cases 10th ICCC / 2009-09-22 / Present Registration / Identification filling in an (electronic) form (print out with hand-written signature) copy of id card

More information

Electronic Identity Cards for User Authentication Promise and Practice

Electronic Identity Cards for User Authentication Promise and Practice Electronic Identity Cards for User Authentication Promise and Practice Andreas Poller Ulrich Waldmann Sven Vowé Sven Türpe Fraunhofer Institute for Secure Information Technology (SIT) Rheinstraße 75, 64295

More information

Secure CA operation, Part 1

Secure CA operation, Part 1 TR-03145-1 Secure CA operation, Part 1 Generic requirements for Trust Centers instantiating as Certification Authority (CA) in a Public-Key Infrastructure (PKI) with security level 'high' Version 1.0 Bundesamt

More information

esign FAQ 1. What is the online esign Electronic Signature Service? 2. Where the esign Online Electronic Signature Service can be used?

esign FAQ 1. What is the online esign Electronic Signature Service? 2. Where the esign Online Electronic Signature Service can be used? esign FAQ 1. What is the online esign Electronic Signature Service? esign Electronic Signature Service is an innovative initiative for allowing easy, efficient, and secure signing of electronic documents

More information

As simple as e-mail and as secure as postal mail.

As simple as e-mail and as secure as postal mail. Stay up-to-date Page 1 The advantages of De-Mail for individuals, businesses and Page 2 government agencies Unencrypted, unprotected, unverified what does that mean? Page 3 Encrypted, protected, verified

More information

Common Criteria Protection Profile eid-client based on ecard-api BSI-CC-PP-0066-V2

Common Criteria Protection Profile eid-client based on ecard-api BSI-CC-PP-0066-V2 Common Criteria Protection Profile eid-client based on ecard-api BSI-CC-PP-0066-V2 Common Criteria Protection Profile Version 2.0.5.14, 01.12.2011 Foreword 5 This Protection Profile eid-client based on

More information

Security by Politics - Why it will never work. Lukas Grunwald DN-Systems GmbH Germany DefCon 15 Las Vegas USA

Security by Politics - Why it will never work. Lukas Grunwald DN-Systems GmbH Germany DefCon 15 Las Vegas USA Security by Politics - Why it will never work Lukas Grunwald DN-Systems GmbH Germany DefCon 15 Las Vegas USA Agenda Motivation Some basics Brief overview epassport (MRTD) Why cloning? How to attack the

More information

Securing VoIP Networks using graded Protection Levels

Securing VoIP Networks using graded Protection Levels Securing VoIP Networks using graded Protection Levels Andreas C. Schmidt Bundesamt für Sicherheit in der Informationstechnik, Godesberger Allee 185-189, D-53175 Bonn Andreas.Schmidt@bsi.bund.de Abstract

More information

Full page passport/document reader Regula model 70X4M

Full page passport/document reader Regula model 70X4M Full page passport/document reader Regula model 70X4M Full page passport reader with no moving parts inside. Automatic reading and authenticity verification of passports, IDs, visas, driver s licenses

More information

THE LEADING EDGE OF BORDER SECURITY

THE LEADING EDGE OF BORDER SECURITY THE LEADING EDGE OF BORDER SECURITY RECORD-BREAKING TRAVEL CREATING NEW CHALLENGES TIM KLABUNDE Entrust Datacard; Director, Government Vertical Marketing THE ERA OF THE MOBILE IDENTITY In an increasingly

More information

eid Services as Part of the new German ID Card Ecosystem 27/10/2011

eid Services as Part of the new German ID Card Ecosystem 27/10/2011 eid Services as Part of the new German ID Card Ecosystem The new German ID Card Features ID CARD New Electronic Features 1. Biometrics Digital photo and (if desired), two electronic fingerprints Only legitimate

More information

Cybersecurity and Secure Authentication with SAP Single Sign-On

Cybersecurity and Secure Authentication with SAP Single Sign-On Solution in Detail SAP NetWeaver SAP Single Sign-On Cybersecurity and Secure Authentication with SAP Single Sign-On Table of Contents 3 Quick Facts 4 Remember One Password Only 6 Log In Once to Handle

More information

Moving to the third generation of electronic passports

Moving to the third generation of electronic passports Moving to the third generation of electronic passports A new dimension in electronic passport security with Supplemental Access Control (SAC) > WHITE PAPER 2 Gemalto in brief Gemalto is the world leader

More information

Act. on Strong Electronic Identification and Electronic Signatures (617/2009)

Act. on Strong Electronic Identification and Electronic Signatures (617/2009) NB: Unofficial translation; legally binding texts are those in Finnish and Swedish Act on Strong Electronic Identification and Electronic Signatures (617/2009) Chapter 1 General provisions Section 1 Scope

More information

CERTIFICATION PRACTICE STATEMENT UPDATE

CERTIFICATION PRACTICE STATEMENT UPDATE CERTIFICATION PRACTICE STATEMENT UPDATE Reference: IZENPE-CPS UPDATE Version no: v 5.03 Date: 10th March 2015 IZENPE 2015 This document is the property of Izenpe. It may only be reproduced in its entirety.

More information

The German eid-card. Jens Bender. Federal Office for Information Security Bundesamt für Sicherheit in der Informationstechnik

The German eid-card. Jens Bender. Federal Office for Information Security Bundesamt für Sicherheit in der Informationstechnik The German eid-card Federal Office for Information Security Bundesamt für Sicherheit in der Informationstechnik eid Workshop KU Leuven / The German Electronic ID-Card (Elektronischer Personalausweis) Motivation

More information

Common Criteria Protection Profile

Common Criteria Protection Profile Machine Readable Travel Document using Standard Inspection Procedure with PACE (PACE PP) Version 1.01, 22th July 2014 Foreword This Protection Profile Electronic Passport using Standard Inspection procedure

More information

Public Key Infrastructure PKI. National Digital Certification Center Information Technology Authority Sultanate of Oman

Public Key Infrastructure PKI. National Digital Certification Center Information Technology Authority Sultanate of Oman Public Key Infrastructure PKI National Digital Certification Center Information Technology Authority Sultanate of Oman Agenda Objectives PKI Features etrust Components Government eservices Oman National

More information

Asymmetric cryptosystems fundamental problem: authentication of public keys

Asymmetric cryptosystems fundamental problem: authentication of public keys Network security Part 2: protocols and systems (a) Authentication of public keys Università degli Studi di Brescia Dipartimento di Ingegneria dell Informazione 2014/2015 Asymmetric cryptosystems fundamental

More information

Performance Characteristics of Data Security. Fabasoft Cloud

Performance Characteristics of Data Security. Fabasoft Cloud Performance Characteristics of Data Security Valid from October 13 th, 2014 Copyright GmbH, A-4020 Linz, 2014. All rights reserved. All hardware and software names used are registered trade names and/or

More information

PKD Board ICAO PKD unclassified B-Tec/36. Regulations for the ICAO Public Key Directory

PKD Board ICAO PKD unclassified B-Tec/36. Regulations for the ICAO Public Key Directory Regulations for the ICAO Public Key Directory last modification final 1/8 SECTION 1 AUTHORITY These Regulations are issued by ICAO on the basis of Paragraph 3 b) of the Memorandum of Understanding (MoU)

More information

Secure Card based Voice over Internet Protocol Authentication

Secure Card based Voice over Internet Protocol Authentication Secure Card based Voice over Internet Protocol Authentication By GOWSALYA.S HARINI.R CSE-B II YEAR (IFET COLLEGE OF ENGG.) Approach to Identity Card-based Voiceover-IP Authentication Abstract Voice-over-IP

More information

Mobility, Security and Trusted Identities: It s Right In The Palm of Your Hands. Ian Wills Country Manager, Entrust Datacard

Mobility, Security and Trusted Identities: It s Right In The Palm of Your Hands. Ian Wills Country Manager, Entrust Datacard Mobility, Security and Trusted Identities: It s Right In The Palm of Your Hands Ian Wills Country Manager, Entrust Datacard WHO IS ENTRUST DATACARD? 2 Entrust DataCard Datacard Corporation. Corporation.

More information

A secure, economic infrastructure for signing of web based documents and financial affairs Overview of a server based, customer-friendly approach.

A secure, economic infrastructure for signing of web based documents and financial affairs Overview of a server based, customer-friendly approach. 1 of 8 15.03.2004 14:09 Issue January 2002 A secure, economic infrastructure for signing of web based documents and financial affairs Overview of a server based, customer-friendly approach. Lothar Fritsch,

More information

Extended SSL Certificates

Extended SSL Certificates Introduction Widespread usage of internet has led to the growth of awareness amongst users, who now associate green address bar with security. Though people are able to recognize the green bar, there is

More information

EPASSPORT WITH BASIC ACCESS CONTROL AND ACTIVE AUTHENTICATION

EPASSPORT WITH BASIC ACCESS CONTROL AND ACTIVE AUTHENTICATION COMMON CRITERIA PROTECTION PROFILE EPASSPORT WITH BASIC ACCESS CONTROL AND ACTIVE AUTHENTICATION Draft Version 1.0 TURKISH STANDARDS INSTITUTION TABLE OF CONTENTS Common Criteria Protection Profile...

More information

Entrust Managed Services PKI. Getting started with digital certificates and Entrust Managed Services PKI. Document issue: 1.0

Entrust Managed Services PKI. Getting started with digital certificates and Entrust Managed Services PKI. Document issue: 1.0 Entrust Managed Services PKI Getting started with digital certificates and Entrust Managed Services PKI Document issue: 1.0 Date of issue: May 2009 Copyright 2009 Entrust. All rights reserved. Entrust

More information

Best Solutions for Biometrics and eid

Best Solutions for Biometrics and eid Best Solutions for Biometrics and eid In times of virtual communication even a person s identity is converted into an electronic form with the help of biometrics and then organised through intricate technical

More information

Microsoft Identity Lifecycle Manager & Gemalto.NET Solutions. Jan 23 rd, 2007

Microsoft Identity Lifecycle Manager & Gemalto.NET Solutions. Jan 23 rd, 2007 Microsoft Identity Lifecycle Manager & Gemalto.NET Solutions Jan 23 rd, 2007 Microsoft ILM is a comprehensive, integrated, identity and access solution within the Microsoft system architecture. It includes

More information

Neutralus Certification Practices Statement

Neutralus Certification Practices Statement Neutralus Certification Practices Statement Version 2.8 April, 2013 INDEX INDEX...1 1.0 INTRODUCTION...3 1.1 Overview...3 1.2 Policy Identification...3 1.3 Community & Applicability...3 1.4 Contact Details...3

More information

Common Criteria Protection Profile for Inspection Systems (IS) BSI-CC-PP-0064. Version 1.01 (15 th April 2010)

Common Criteria Protection Profile for Inspection Systems (IS) BSI-CC-PP-0064. Version 1.01 (15 th April 2010) Common Criteria Protection Profile for BSI-CC-PP-0064 Version 1.01 (15 th April 2010) Federal Office for Information Security Postfach 20 03 63 53133 Bonn Phone: +49 228 99 9582-0 e-mail: zertifizierung@bsi.bund.de

More information

Test plan for eid and esign compliant terminal software with EACv2

Test plan for eid and esign compliant terminal software with EACv2 Technical Guideline BSI TR-03105 Part 5.3 Test plan for eid and esign compliant terminal software with EACv2 Version: 2.0 Date: 2015-05-22 Bundesamt für Sicherheit in der Informationstechnik Postfach 20

More information

ORDINANCE ON THE ELECTRONIC SIGNATURE CERTIFICATES IN THE. Chapter One GENERAL PROVISIONS

ORDINANCE ON THE ELECTRONIC SIGNATURE CERTIFICATES IN THE. Chapter One GENERAL PROVISIONS ADMINISTRATIONS Effective as of 13 June 2008 Adopted by Decree of the Council of Ministers No 97 of 16 May 2008 Promulgated SG, No. 48 of 23 May 2008 Chapter One GENERAL PROVISIONS Article 1. This Ordinance

More information

PKD Board ICAO PKD unclassified B-Tec/37. Procedures for the ICAO Public Key Directory

PKD Board ICAO PKD unclassified B-Tec/37. Procedures for the ICAO Public Key Directory Procedures for the ICAO Public Key Directory last modification final 1/13 SECTION 1 INTRODUCTION 1.1 As part of the MRTD initiative by ICAO, the Participants will upload to and download from the PKD, their

More information

Smart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi

Smart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi Smart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi Purpose This paper is intended to describe the benefits of smart card implementation and it combination with Public

More information

biometric authentication

biometric authentication biometric authentication Homeland Security Suite Your business technologists. Powering progress Homeland Security Suite The use of fingerprint biometrics to identify human beings has a long history. Today,

More information

Meeting the FDA s Requirements for Electronic Records and Electronic Signatures (21 CFR Part 11)

Meeting the FDA s Requirements for Electronic Records and Electronic Signatures (21 CFR Part 11) Meeting the FDA s Requirements for Electronic Records and Electronic Signatures (21 CFR Part 11) Executive Summary...3 Background...4 Internet Growth in the Pharmaceutical Industries...4 The Need for Security...4

More information

Global eid Developments. Detlef Eckert Chief Security Advisor Microsoft Europe, Middle East, and Africa

Global eid Developments. Detlef Eckert Chief Security Advisor Microsoft Europe, Middle East, and Africa Global eid Developments Detlef Eckert Chief Security Advisor Microsoft Europe, Middle East, and Africa Agenda Country View on eid initiatives Trustworthy Identity Scenarios Microsoft eid update Summary

More information

Secure Web Access Solution

Secure Web Access Solution Secure Web Access Solution I. CONTENTS II. INTRODUCTION... 2 OVERVIEW... 2 COPYRIGHTS AND TRADEMARKS... 2 III. E-CODE SECURE WEB ACCESS SOLUTION... 3 OVERVIEW... 3 PKI SECURE WEB ACCESS... 4 Description...

More information

Terms and conditions of using an electronic ID card NATIONAL POLICE BOARD POPULATION REGISTER CENTRE INSTRUCTION

Terms and conditions of using an electronic ID card NATIONAL POLICE BOARD POPULATION REGISTER CENTRE INSTRUCTION Terms and conditions of using an electronic ID card NATIONAL POLICE BOARD POPULATION REGISTER CENTRE INSTRUCTION 1.3.2016 ELECTRONIC ID CARD USE AND RESPONSIBILITIES GENERAL The primary purpose of use

More information

Lecture VII : Public Key Infrastructure (PKI)

Lecture VII : Public Key Infrastructure (PKI) Lecture VII : Public Key Infrastructure (PKI) Internet Security: Principles & Practices John K. Zao, PhD (Harvard) SMIEEE Computer Science Department, National Chiao Tung University 2 Problems with Public

More information

Operational and Technical security of Electronic Passports

Operational and Technical security of Electronic Passports European Agency for the Management of Operational Cooperation at the External Borders of the Member States of the European Union Operational and Technical security of Electronic Passports Warsaw, Legal

More information

WHITEPAPER SECURITY CONCEPT FOR SICK REMOTE SERVICE. Lifetime Services, SICK AG in Waldkirch / Germany. Introduction... 2. Protocols Used...

WHITEPAPER SECURITY CONCEPT FOR SICK REMOTE SERVICE. Lifetime Services, SICK AG in Waldkirch / Germany. Introduction... 2. Protocols Used... WHITEPAPER SECURITY CONCEPT FOR SICK REMOTE SERVICE L i f e T i m e S er v i c es, 2 0 1 3-0 3 EDITOR: TA B L E O F C O N T E N T S Lifetime Services, SICK AG in Waldkirch / Germany Introduction.......................................

More information

Public Key Infrastructure

Public Key Infrastructure Motivation: Public Key Infrastructure 1. Numerous people buy/sell over the internet hard to manage security of all possible pairs of connections with secret keys 2. US government subject to the Government

More information

Ericsson Group Certificate Value Statement - 2013

Ericsson Group Certificate Value Statement - 2013 COMPANY INFO 1 (23) Ericsson Group Certificate Value Statement - 2013 COMPANY INFO 2 (23) Contents 1 Ericsson Certificate Value Statement... 3 2 Introduction... 3 2.1 Overview... 3 3 Contact information...

More information

Common Criteria Protection Profile. Electronic Identity Card (ID_Card PP) BSI-CC-PP-0061. Approved by the Federal Ministry of Interior. Version 1.

Common Criteria Protection Profile. Electronic Identity Card (ID_Card PP) BSI-CC-PP-0061. Approved by the Federal Ministry of Interior. Version 1. Common Criteria Protection Profile Approved by the Federal Ministry of Interior Version 1.03, 1 Common Criteria Protection Profile Version 1.03, Foreword This Protection Profile is issued by Bundesamt

More information

HKUST CA. Certification Practice Statement

HKUST CA. Certification Practice Statement HKUST CA Certification Practice Statement IN SUPPORT OF HKUST CA CERTIFICATION SERVICES Version : 1.1 Date : 3 March 2000 Prepared by : Information Technology Services Center Hong Kong University of Science

More information

Danske Bank Group Certificate Policy

Danske Bank Group Certificate Policy Document history Version Date Remarks 1.0 19-05-2011 finalized 1.01 15-11-2012 URL updated after web page restructuring. 2 Table of Contents 1. Introduction... 4 2. Policy administration... 4 2.1 Overview...

More information

HKUST CA. Certification Practice Statement

HKUST CA. Certification Practice Statement HKUST CA Certification Practice Statement IN SUPPORT OF HKUST CA CERTIFICATION SERVICES Version : 2.1 Date : 12 November 2003 Prepared by : Information Technology Services Center Hong Kong University of

More information

Introduction. About Image-X Enterprises. Overview of PKI Technology

Introduction. About Image-X Enterprises. Overview of PKI Technology Digital Signature x Introduction In recent years, use of digital or electronic signatures has rapidly increased in an effort to streamline all types of business transactions. There are two types of electronic

More information

The Estonian ID Card and Digital Signature Concept

The Estonian ID Card and Digital Signature Concept The Estonian ID Card and Digital Signature Concept Principles and Solutions Ver 20030307 Contents Contents...2 Status of the document...3 Introduction...3 Intended audience...3 Current project status...3

More information

Identities Exposed. Privacy Risks with Using Client Certificates for Authentication. David Johansson Senior Consultant Cigital Ltd.

Identities Exposed. Privacy Risks with Using Client Certificates for Authentication. David Johansson Senior Consultant Cigital Ltd. Identities Exposed Privacy Risks with Using Client Certificates for Authentication David Johansson Senior Consultant Cigital Ltd. Objectives Objectives for this Tech Talk: Know the risks to user privacy

More information

PostSignum CA Certification Policy applicable to qualified personal certificates

PostSignum CA Certification Policy applicable to qualified personal certificates PostSignum CA Certification Policy applicable to qualified personal certificates Version 3.0 7565 Page 1/60 TABLE OF CONTENTS 1 Introduction... 5 1.1 Review... 5 1.2 Name and clear specification of a document...

More information

A new generation product range for your travel documents: passports and resident cards.

A new generation product range for your travel documents: passports and resident cards. ideal pass tm THIRD GENERATION TRAVEL DOCUMENTS A new generation product range for your travel documents: passports and resident cards. ideal pass tm THIRD GENERATION TRAVEL DOCUMENTS Morpho s vision for

More information

Network Security, spring Final Project Report X.509

Network Security, spring Final Project Report X.509 Network Security, spring 2008 Final Project Report X.509 This report is the final report for the Network Security course module of the LP 2 of the second semester in the Network Design course. The course

More information

The Algerian Biometric and electronic National Identity Card «CNIBE»

The Algerian Biometric and electronic National Identity Card «CNIBE» The Algerian Biometric and electronic National Identity Card «CNIBE» Hichem CHAYA Sub Director of the Personalization of Secured Documents and Titles Algerian Ministry of Interior Strengthening Aviation

More information

Understanding Digital Signature And Public Key Infrastructure

Understanding Digital Signature And Public Key Infrastructure Understanding Digital Signature And Public Key Infrastructure Overview The use of networked personnel computers (PC s) in enterprise environments and on the Internet is rapidly approaching the point where

More information

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008 Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008 Contents Authentication and Identity Assurance The Identity Assurance continuum Plain Password Authentication

More information

Security Issues in Cross-border Electronic Authentication

Security Issues in Cross-border Electronic Authentication Risk Assessment Report February 10 Security Issues in Cross-border Electronic Authentication www.enisa.europa.eu 2 Security Issues in Cross-border Electronic Authentication 1 About ENISA The European Network

More information

HOBCOM and HOBLink J-Term

HOBCOM and HOBLink J-Term HOB GmbH & Co. KG Schwadermühlstr. 3 90556 Cadolzburg Germany Tel: +49 09103 / 715-0 Fax: +49 09103 / 715-271 E-Mail: support@hobsoft.com Internet: www.hobsoft.com HOBCOM and HOBLink J-Term Single Sign-On

More information

Advanced Security Mechanisms for Machine Readable Travel Documents and eidas Token

Advanced Security Mechanisms for Machine Readable Travel Documents and eidas Token Technical Guideline TR-03110-4 Advanced Security Mechanisms for Machine Readable Travel Documents and eidas Token Part 4 Applications and Document Profiles Version 2.20 3. February 2015 History Version

More information

Certification Practice Statement of the Federal Reserve Banks Services Public Key Infrastructure

Certification Practice Statement of the Federal Reserve Banks Services Public Key Infrastructure Certification Practice Statement of the Federal Reserve Banks Services Public Key Infrastructure 1.0 INTRODUCTION 1.1 Overview The Federal Reserve Banks operate a public key infrastructure (PKI) that manages

More information

VoIP Security. Seminar: Cryptography and Security. 07.06.2006 Michael Muncan

VoIP Security. Seminar: Cryptography and Security. 07.06.2006 Michael Muncan VoIP Security Seminar: Cryptography and Security Michael Muncan Overview Introduction Secure SIP/RTP Zfone Skype Conclusion 1 Introduction (1) Internet changed to a mass media in the middle of the 1990s

More information

PUBLIC KEY INFRASTRUCTURE (PKI) BUYERS GUIDE entrust.com

PUBLIC KEY INFRASTRUCTURE (PKI) BUYERS GUIDE entrust.com PUBLIC KEY INFRASTRUCTURE (PKI) BUYERS GUIDE +1-888-690-2424 entrust.com Table of contents Introduction Page 3 Key Considerations When Selecting a PKI Solution Page 4 1. Certification Authority (CA) Page

More information

Terms of Service - YOUSIGN SAS - SIGN2 CA

Terms of Service - YOUSIGN SAS - SIGN2 CA Terms of Service - YOUSIGN SAS - SIGN2 CA 1- Introduction 1.1 General presentation This document defines the general conditions of use of the certificates issued in agreement with the digital signature

More information

esign Online Digital Signature Service

esign Online Digital Signature Service esign Online Digital Signature Service Government of India Ministry of Communications and Information Technology Department of Electronics and Information Technology Controller of Certifying Authorities

More information

Declaration of Conformity 21 CFR Part 11 SIMATIC WinCC flexible 2007

Declaration of Conformity 21 CFR Part 11 SIMATIC WinCC flexible 2007 Declaration of Conformity 21 CFR Part 11 SIMATIC WinCC flexible 2007 SIEMENS AG Industry Sector Industry Automation D-76181 Karlsruhe, Federal Republic of Germany E-mail: pharma.aud@siemens.com Fax: +49

More information

D.I.M. allows different authentication procedures, from simple e-mail confirmation to electronic ID.

D.I.M. allows different authentication procedures, from simple e-mail confirmation to electronic ID. Seite 1 von 11 Distributed Identity Management The intention of Distributed Identity Management is the advancement of the electronic communication infrastructure in justice with the goal of defining open,

More information

Strong Authentication: Enabling Efficiency and Maximizing Security in Your Microsoft Environment

Strong Authentication: Enabling Efficiency and Maximizing Security in Your Microsoft Environment Strong Authentication: Enabling Efficiency and Maximizing Security in Your Microsoft Environment IIIIII Best Practices www.gemalto.com IIIIII Table of Contents Strong Authentication and Cybercrime... 1

More information

Dr. Cunsheng DING HKUST, Hong Kong. Security Protocols. Security Protocols. Cunsheng Ding, HKUST COMP685C

Dr. Cunsheng DING HKUST, Hong Kong. Security Protocols. Security Protocols. Cunsheng Ding, HKUST COMP685C Cunsheng Ding, HKUST Lecture 06: Public-Key Infrastructure Main Topics of this Lecture 1. Digital certificate 2. Certificate authority (CA) 3. Public key infrastructure (PKI) Page 1 Part I: Digital Certificates

More information

eid Security Frank Cornelis Architect eid fedict 2008. All rights reserved

eid Security Frank Cornelis Architect eid fedict 2008. All rights reserved eid Security Frank Cornelis Architect eid The eid Project > Provides Belgian Citizens with an electronic identity card. > Gives Belgian Citizens a device to claim their identity in the new digital age.

More information

Glossary of Key Terms

Glossary of Key Terms and s Branch Glossary of Key Terms The terms and definitions listed in this glossary are used throughout the s Package to define key terms in the context of. Access Control Access The processes by which

More information

Biometrics for Public Sector Applications

Biometrics for Public Sector Applications Technical Guideline TR-03121-1 Biometrics for Public Sector Applications Part 1: Framework Version 2.3 Bundesamt für Sicherheit in der Informationstechnik Postfach 20 03 63, 53133 Bonn, Germany Email:

More information

3D SECURE. System Overview. We have seen merchants reduce fraud by up to 95% when integrating to 3D Secure...

3D SECURE. System Overview. We have seen merchants reduce fraud by up to 95% when integrating to 3D Secure... 3D SECURE We have seen merchants reduce fraud by up to 95% when integrating to 3D Secure... System Overview This document is intended for merchant and developers that want to gain a high level overview

More information